Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer-implemented method comprising: receiving, at a computing device, an evidence corresponding to a malicious activity, wherein the evidence is received from an external computing device and is stored in a file by the computing device; extracting, by the computing device with an extraction engine, one or more indicators from the evidence by analyzing the contents of the file in which the evidence was stored; creating, with the computing device, a sensor based rule from the one or more indicators; bidirectionally linking, by the computing device, the one or more indicators extracted from the evidence to the evidence from which the indicators were extracted, wherein the linking is to the evidence stored in the file by the computing device and establishes a bidirectional linkage between the one or more indicators and the evidence from which the indicators were extracted, wherein the bidirectional linkage between the one or more indicators and the evidence is used to determine that the one or more indicators were extracted from the evidence; bidirectionally linking the sensor based rule to the evidence it originated from, wherein the linking establishes a bidirectional linkage between the sensor based rule and the evidence wherein the bidirectional linkage between the sensor based rule and the evidence is used to determine that the sensor based rule originated from the evidence; bidirectionally linking the sensor based rule to the indicator it originated from, wherein the linking establishes a bidirectional linkage between the sensor based rule and the indicator wherein the bidirectional linkage between the sensor based rule and the indicator is used to determine that the sensor based rule originated from the indicator; and creating a sensor configuration for tasking the sensor based rule to a sensor of an intrusion prevention or intrusion detection system, wherein the sensor monitors one or more of the computer system and a network infrastructure to which the computer system is connected.
A computer-implemented method detects and responds to malicious activities by processing evidence from external sources. The method involves receiving evidence of malicious activity, stored as a file, and extracting indicators from the file's contents using an extraction engine. These indicators are used to create a sensor-based rule, which is then bidirectionally linked to the original evidence and the extracted indicators. The bidirectional links ensure traceability, allowing the system to verify that the rule and indicators originated from the evidence. The method also generates a sensor configuration to deploy the rule to an intrusion prevention or detection system, enabling monitoring of a computer system and its network infrastructure. This approach enhances threat detection by maintaining clear relationships between evidence, indicators, and rules, improving the accuracy and reliability of security monitoring.
2. The method of claim 1 , further comprising: attributing the malicious activity to a specific actor; bidirectionally linking the evidence to the attributed actor; and bidirectionally linking the indicator to the attributed actor.
This invention relates to cybersecurity, specifically to methods for analyzing and attributing malicious cyber activities to specific actors. The problem addressed is the difficulty in accurately identifying and linking cyber threats to their sources, which is critical for effective threat intelligence and response. The method involves detecting malicious activity in a network, identifying indicators of compromise (IOCs) associated with the activity, and analyzing the IOCs to determine their origin. The method further includes attributing the malicious activity to a specific actor, such as a cybercriminal group or nation-state. Once attributed, the method establishes bidirectional links between the evidence of the activity, the IOCs, and the attributed actor. This ensures that all relevant data is interconnected, allowing for comprehensive tracking and analysis of the threat. By maintaining these bidirectional links, investigators can trace the evidence back to the actor and vice versa, improving the accuracy and reliability of threat attribution. This approach enhances cybersecurity defenses by providing a clear and structured way to understand the relationships between threats, indicators, and actors. The method supports better decision-making in threat mitigation and response strategies.
3. The method of claim 1 , wherein: determining whether associated sensor based rules exist based on historical data; and determining whether associated sensor based rules are tasked based on current security data.
4. The method of claim 1 , further comprising identifying which sensor type to employ for mitigation based on the indicator type.
5. The method of claim 1 , further comprising: determining the sensor based rule adheres to the schema associated with the sensor vendor; and determining that the sensor based rule adheres to the best practices specified by the sensor vendor.
This invention relates to sensor-based rule validation in industrial or IoT systems. The problem addressed is ensuring that rules governing sensor data processing adhere to both the schema defined by the sensor vendor and the vendor's best practices, which are critical for reliable operation and compliance. The method involves validating sensor-based rules by first checking that the rule structure conforms to the schema provided by the sensor vendor. This schema defines the required format, data types, and constraints for rules to be compatible with the sensor hardware or software. Additionally, the method verifies that the rule follows the vendor's best practices, which may include performance optimizations, security guidelines, or operational constraints specific to the sensor model. These checks prevent errors, improve system reliability, and ensure optimal sensor performance. The validation process may include parsing the rule to verify its syntax and structure against the schema, as well as comparing rule parameters against predefined best practices. If discrepancies are found, the system may flag them for correction or suggest modifications to align with the vendor's standards. This approach is particularly useful in large-scale deployments where multiple sensors from different vendors are integrated into a unified monitoring or control system. By enforcing schema and best practice compliance, the method reduces integration challenges and minimizes operational risks.
6. The method of claim 1 , further comprising determining that the sensor based rule will create no more than a threshold number of false positives.
A system and method for sensor-based rule evaluation in monitoring applications, particularly in industrial or environmental monitoring, addresses the challenge of ensuring reliable detection of events while minimizing false positives. The method involves analyzing sensor data to detect events of interest, such as equipment failures or environmental changes, using predefined rules. These rules are evaluated to determine their effectiveness in identifying true events while avoiding false alarms. A key aspect is assessing whether a sensor-based rule will generate no more than a predefined threshold of false positives, ensuring the system maintains accuracy and reliability. This involves statistical analysis of historical sensor data to model the rule's performance under various conditions. The method may also include adjusting the rule parameters or selecting alternative rules if the false positive rate exceeds the threshold. The system may integrate multiple sensors and apply machine learning techniques to refine rule evaluation over time. The goal is to optimize event detection accuracy while reducing unnecessary alerts, improving operational efficiency and decision-making in monitoring applications.
7. The method of claim 1 , further comprising presenting the user with all available sensors available to task based on the sensor based rule type.
This invention relates to sensor-based task management systems, specifically addressing the challenge of efficiently selecting and utilizing available sensors for task execution. The system dynamically identifies and presents all sensors that are compatible with a given task based on predefined sensor-based rule types. These rule types define the criteria for sensor compatibility, such as sensor type, functionality, or environmental conditions. The method involves analyzing the task requirements, cross-referencing them with the sensor-based rules, and filtering the available sensors to display only those that meet the specified criteria. This ensures that users are provided with a curated list of sensors that are suitable for the task at hand, improving efficiency and reducing the risk of errors. The system may also include additional features such as sensor prioritization, real-time availability checks, and user feedback mechanisms to refine sensor selection over time. The goal is to streamline sensor task assignment by automating the compatibility assessment process, thereby enhancing operational workflows in environments where multiple sensors are deployed.
8. The method of claim 1 , further comprising bidirectionally linking the sensor based rule to the sensors the sensor based rule is tasked to.
A system and method for managing sensor-based rules in an industrial or IoT environment involves dynamically linking rules to the sensors they monitor. The method includes creating sensor-based rules that define conditions or thresholds for triggering actions, such as alerts or automated responses, based on sensor data. These rules are then bidirectionally linked to the specific sensors they are designed to monitor, ensuring that changes to either the rule or the sensor configuration are automatically reflected in the other. This bidirectional linkage allows for real-time synchronization, reducing manual configuration errors and improving system reliability. The system may also include a user interface for defining, modifying, and monitoring these rules, as well as a backend engine that processes sensor data and executes the associated rules. The method ensures that sensor-based rules remain accurate and up-to-date, even as sensor deployments or operational requirements change. This approach enhances automation, reduces maintenance overhead, and improves the responsiveness of sensor-driven systems.
9. The method of claim 1 , further comprising: monitoring the tasked sensor based rule; and receiving one or more triggers associated with the sensor based rule.
A system and method for sensor-based monitoring and rule enforcement in industrial or IoT environments. The technology addresses the challenge of efficiently managing and responding to sensor data in real-time, particularly in large-scale deployments where manual oversight is impractical. The invention involves defining sensor-based rules that specify conditions under which actions should be taken, such as alerts, adjustments, or shutdowns. These rules are dynamically applied to sensors based on their operational context, ensuring adaptability to changing conditions. The system monitors the execution of these rules in real-time, tracking sensor outputs and environmental factors to detect rule triggers. When a trigger condition is met, the system generates a response, such as sending notifications to operators or initiating automated corrective measures. The method also includes receiving and processing multiple triggers associated with a single rule, allowing for complex event handling. This approach improves operational efficiency, reduces downtime, and enhances safety by automating responses to sensor data anomalies. The system is particularly useful in industrial automation, smart infrastructure, and predictive maintenance applications.
10. The method of claim 9 , further comprising: determining that the one or more triggers is above a predetermined noise level; and initiating an investigation if the one or more hits is above the predetermined noise level.
11. The method of claim 1 , further comprising accessing the one or more evidences by selecting a representation of one selected from the group consisting of: the indicator, the sensor based rule, and the sensor.
A method for accessing evidence in a sensor-based monitoring system addresses the challenge of efficiently retrieving relevant data for troubleshooting or analysis. The system monitors sensors and applies sensor-based rules to detect anomalies or events, generating indicators when conditions are met. The method involves accessing evidence related to these indicators by selecting a representation of either the indicator itself, the sensor-based rule that triggered it, or the specific sensor involved. This allows users to quickly investigate the root cause of detected issues by navigating through the interconnected elements of the system. The method ensures that all relevant data, including sensor readings, rule logic, and contextual information, is accessible through a streamlined interface, improving diagnostic efficiency and reducing downtime in industrial or IoT applications. The approach simplifies evidence retrieval by providing multiple entry points, enhancing usability for operators and technicians.
12. The method of claim 1 , further comprising accessing the indicator by selecting a representation of one selected from the group consisting of: the one or more evidences, the sensor based rule, an actor, and the sensor.
This invention relates to a system for monitoring and managing sensor-based rules in an industrial or automated environment. The problem addressed is the need for improved visibility and control over sensor data, rules, and actors (devices or systems that act based on sensor inputs). The invention provides a method for accessing and interacting with indicators that represent various components of the system, such as sensor data, rules, actors, or the sensors themselves. These indicators allow users to monitor the status, performance, or configuration of these components. The method involves selecting a representation of one of these elements—such as a specific piece of sensor evidence, a rule that processes sensor data, an actor that performs actions based on rules, or the sensor itself—to access detailed information or controls associated with that element. This selection mechanism enables users to quickly navigate and manage the system, ensuring proper operation and troubleshooting. The invention enhances transparency and usability in sensor-based automation systems by providing direct access to critical components through intuitive representations.
13. The method of claim 1 , further comprising accessing the sensor based rule based by selecting a representation of one selected from the group consisting of: the one or more evidences, the indicator, an actor, and the sensor.
A system and method for sensor-based rule evaluation in a monitoring or control environment. The technology addresses the challenge of efficiently accessing and applying sensor-derived rules to improve decision-making or automation processes. The method involves generating one or more evidences from sensor data, where each evidence represents a detected condition or state. These evidences are then used to derive an indicator, which may represent a higher-level status or derived metric. The system also identifies actors, which are entities capable of performing actions based on the rules. The method further includes accessing a sensor-based rule set by selecting a representation of either the evidences, the indicator, the actor, or the sensor itself. This selection allows for dynamic rule retrieval and application, enabling adaptive responses to changing conditions. The rules may define actions, thresholds, or conditions that trigger specific responses, enhancing system automation and decision-making accuracy. The approach improves efficiency by allowing direct access to relevant rules based on the selected representation, reducing the need for exhaustive rule searches. This method is applicable in industrial automation, environmental monitoring, or any system requiring real-time sensor-based decision-making.
14. The method of claim 1 , further comprising accessing sensor information by selecting a representation of one selected from the group consisting of: the one or more evidences, the indicator, an actor and the sensor based rule.
15. The method of claim 1 , further comprising accessing attributed actor information by selecting a representation of one selected from the group consisting of: the one or more evidences, the indicator, and the sensor based rule.
This invention relates to systems for analyzing and attributing actions or events to actors, such as in cybersecurity, surveillance, or automated decision-making. The problem addressed is the difficulty in accurately identifying and attributing actions to specific actors, especially when multiple sources of evidence or indicators are involved. The invention provides a method to enhance attribution by allowing users to interactively select and access detailed actor information based on various data points. The method involves processing one or more evidences, which may include logs, alerts, or sensor data, to generate an indicator that represents a potential action or event. A sensor-based rule is applied to analyze the indicator and determine its relevance or significance. The method further includes accessing attributed actor information by selecting a representation of either the evidence, the indicator, or the sensor-based rule. This allows users to drill down into the details of the actor responsible for the action, improving transparency and accountability in the system. The attributed actor information may include identity, role, or contextual details that help in understanding the actor's involvement. This interactive approach ensures that users can efficiently investigate and verify the attribution process, reducing false positives and improving decision-making.
16. The method of claim 1 , further comprising accessing evidence information by selecting a representation of one selected from the group consisting of: the one or more indicators, the sensor based rules, and the actors.
17. The method of claim 1 , further comprising accessing a history based on one selected from the group consisting of: an evidence, an indicator, a sensor based rule, and an actor.
This invention relates to a method for enhancing decision-making or system operations by accessing and utilizing historical data. The method involves retrieving a history based on one or more specific criteria, including evidence, indicators, sensor-based rules, or actors. Evidence refers to data or information that supports or refutes a particular outcome or event. Indicators are measurable signals or metrics that provide insights into system performance or conditions. Sensor-based rules are predefined conditions or thresholds derived from sensor data, while actors represent entities or components that interact with or influence the system. By accessing this historical data, the method enables improved analysis, prediction, or automation of processes, particularly in fields such as industrial monitoring, cybersecurity, or autonomous systems. The method may involve collecting, storing, and processing the historical data to identify patterns, anomalies, or trends that inform decision-making or system adjustments. This approach enhances accuracy, efficiency, and reliability in various applications where historical context is critical.
18. The method of claim 1 , further comprising extracting, from the evidence, one or more selected from the group consisting of: an activity date, an attack pattern, and a target.
This invention relates to cybersecurity, specifically to methods for analyzing and extracting key information from digital evidence related to cyberattacks. The method involves processing digital evidence to identify and extract specific attack-related details, including the date of the activity, the attack pattern used, and the target of the attack. The extracted data helps security analysts understand the nature, timing, and scope of cyber threats, enabling more effective threat detection, response, and mitigation. The method may involve automated analysis of logs, network traffic, or other digital artifacts to detect anomalies or malicious behavior. By systematically extracting these details, the method improves incident response by providing structured, actionable insights into cyber threats. The invention enhances threat intelligence by correlating attack patterns with historical data, allowing organizations to identify recurring threats and refine their defenses. The extracted information can also be used to generate reports, alerts, or automated responses to mitigate ongoing attacks. This approach streamlines forensic investigations by reducing manual analysis time and improving accuracy in identifying attack vectors and affected systems. The method supports proactive security measures by enabling early detection of emerging threats and facilitating rapid incident containment.
19. The method of claim 1 , further comprising determining that an action to mitigate a threat needs to be taken based on the one or more indicators.
20. The method of claim 1 , further comprising: analyzing the evidence corresponding to the malicious activity; and identifying one or more indicators from the evidence.
A system and method for detecting and analyzing malicious activity in a computing environment. The technology addresses the challenge of identifying and mitigating cyber threats by analyzing evidence associated with malicious behavior. The method involves collecting evidence related to the malicious activity, such as network traffic, system logs, or file modifications. This evidence is then analyzed to extract relevant indicators, which may include IP addresses, domain names, file hashes, or behavioral patterns associated with the threat. The indicators are used to identify the nature of the malicious activity, its origin, and potential impact. This analysis helps in detecting ongoing attacks, attributing threats to specific actors, and improving future threat detection by incorporating the identified indicators into security systems. The method enhances cybersecurity by providing actionable insights derived from evidence, enabling more effective and timely responses to malicious activities.
21. The method of claim 1 , further comprising validating whether the sensor based rule meets a threshold requirement.
A system and method for sensor-based rule validation in industrial or IoT environments addresses the challenge of ensuring reliable and accurate sensor data processing. The invention involves a sensor network that collects data from multiple sensors deployed in a monitored environment. The system processes this sensor data to generate rules or conditions based on predefined criteria, such as thresholds, trends, or anomalies. These rules are then applied to incoming sensor data to trigger actions, such as alerts, adjustments, or system responses. The method includes validating whether the sensor-based rules meet specified threshold requirements before implementation. This validation step ensures that the rules are accurate, reliable, and aligned with operational needs. The system may compare the rules against historical data, statistical models, or predefined performance metrics to confirm their validity. If a rule fails validation, it may be adjusted, discarded, or flagged for review. This validation process enhances system reliability, reduces false positives, and improves decision-making based on sensor data. The invention is particularly useful in industrial automation, predictive maintenance, environmental monitoring, and smart infrastructure applications where accurate sensor-based decision-making is critical. By ensuring that sensor rules meet threshold requirements, the system minimizes errors and optimizes performance in real-time operations.
22. The method of claim 1 , further comprising tracking the number of sensor based rule triggers.
A system and method for monitoring and analyzing sensor data involves collecting data from multiple sensors, processing the data to detect predefined conditions, and generating alerts or actions based on detected conditions. The system applies rules to the sensor data to identify specific events or states, such as environmental changes, equipment failures, or security breaches. The method further includes tracking the frequency of rule triggers, allowing for statistical analysis, performance monitoring, and system optimization. By counting how often each rule is activated, the system can identify patterns, optimize rule configurations, and improve decision-making processes. This tracking capability enhances system reliability, reduces false positives, and ensures timely responses to critical conditions. The method is applicable in industrial automation, environmental monitoring, healthcare, and smart infrastructure, where real-time data analysis and rule-based decision-making are essential. The system may also include data storage, visualization, and reporting features to provide insights into sensor performance and system behavior over time.
23. The method of claim 1 , further comprising identifying the sensor as being able to mitigate a threat, wherein the threat is based on the malicious activity.
A system and method for cybersecurity threat detection and mitigation involves monitoring network traffic to identify malicious activity. The system uses sensors deployed across a network to detect anomalies or suspicious behavior indicative of cyber threats. These sensors analyze data packets, network flows, or system logs to recognize patterns associated with known or emerging threats. Once a threat is detected, the system identifies which sensors are capable of mitigating the threat. Mitigation may involve blocking malicious traffic, isolating affected systems, or applying security patches. The system dynamically assesses sensor capabilities to determine the most effective response to the detected threat. This approach enhances network security by leveraging distributed sensors to both detect and mitigate threats in real time, reducing the impact of cyber attacks. The method ensures that only sensors with the appropriate capabilities are used for mitigation, optimizing resource allocation and improving overall system resilience.
24. A computer-implemented system for sensor based rules for responding to malicious activity comprising: a storage comprising at least one evidence, at least one indicator object, and at least one sensor based rule; and an analyst system comprising an ingestion engine, an extraction engine, a rule editor, and a rule engine, the ingestion engine configured to receive the at least one evidence corresponding to a malicious activity from an external computing device, store the at least one evidence corresponding to the malicious activity in a file, and analyze the at least one evidence corresponding to the malicious activity, the extraction engine configured to extract at least one indicator from the at least one evidence by analyzing the file in which the at least one evidence is stored, a rule editor to create the at least one sensor based rule from the at least one indicator, the rule engine configured to validate whether the at least one sensor based rule meets a threshold requirement, the analyst system configured to bidirectionally link the at least one indicator to the at least one evidence from which the at least one indicator was extracted wherein the link is to the at least one evidence stored in the file and establishes a bidirectional linkage between the at least one indicator and the at least one evidence from which the at least one indicator was extracted, wherein the bidirectional linkage between at least one indicator and the at least one evidence is used to determine that the at least one indicator was extracted from the at least one evidence, bidirectionally link the at least one sensor based rule to the at least one evidence it originated from, wherein the linking establishes a bidirectional linkage between the at least one sensor based rule and the at least one evidence wherein the bidirectional linkage between the at least one sensor based rule and the at least one evidence is used to determine that the at least one sensor based rule originated from the at least one evidence, bidirectionally link the at least one sensor based rule to the at least one indicator it originated from, wherein the linking establishes a bidirectional linkage between the at least one sensor based rule and the at least one indicator wherein the bidirectional linkage between the at least one sensor based rule and the at least one indicator is used to determine that the sensor based rule originated from the at least one indicator, and create a sensor configuration used to task the sensor based rule to a sensor of an intrusion prevention or intrusion detection system, wherein the sensor monitors one or more of the analyst system and a network infrastructure to which the analyst system is connected.
This system addresses the challenge of detecting and responding to malicious activity in computer networks by automating the creation and application of sensor-based rules. The system includes a storage component that holds evidence of malicious activity, extracted indicators, and sensor-based rules. An analyst system processes this data through several engines: an ingestion engine receives and analyzes evidence from external sources, storing it in files. An extraction engine then analyzes these files to identify and extract indicators of malicious activity. A rule editor allows analysts to create sensor-based rules from these indicators, while a rule engine validates whether the rules meet predefined threshold requirements. The system establishes bidirectional links between evidence, indicators, and rules, ensuring traceability of how rules originate from specific evidence and indicators. These links help verify the accuracy and relevance of the rules. The system also generates sensor configurations to deploy the rules to intrusion prevention or detection systems, which monitor the analyst system and connected network infrastructure for malicious activity. This approach enhances threat detection by automating rule creation and maintaining clear provenance of security rules.
25. The system of claim 24 , wherein the analyst system is further configured to monitor at least one tasked sensor based rule and receive one or more triggers associated with the at least one sensor based rule.
The system is designed for monitoring and analyzing sensor data in real-time to detect and respond to specific conditions or events. The system includes an analyst system that processes sensor data from one or more sensors to identify predefined conditions or anomalies. The analyst system is configured to monitor at least one sensor-based rule, which defines a set of conditions that must be met for a trigger to be generated. When the sensor data meets the criteria specified in the rule, the system receives one or more triggers, indicating that the defined condition has been detected. These triggers can then be used to initiate further actions, such as alerts, notifications, or automated responses. The system ensures continuous monitoring of sensor data to promptly detect and respond to critical events, improving situational awareness and decision-making in applications such as industrial automation, environmental monitoring, or security systems. The sensor-based rules can be customized to suit different monitoring requirements, allowing the system to adapt to various operational environments.
26. The system of claim 24 , wherein the analyst system is further configured to bidirectionally link the at least one sensor based rule to the sensors the at least one sensor based rule is tasked to.
This invention relates to a system for managing sensor-based rules in an industrial or monitoring environment. The system addresses the challenge of efficiently associating and managing rules that govern sensor operations, ensuring that rules are correctly linked to the sensors they monitor or control. The system includes an analyst component that dynamically establishes bidirectional links between sensor-based rules and the corresponding sensors. These links enable real-time updates and synchronization, allowing the system to automatically adjust rule parameters or sensor configurations when changes occur. The bidirectional nature of the links ensures that modifications to either the rules or the sensors are reflected in both directions, maintaining consistency across the system. This approach improves operational efficiency by reducing manual intervention and minimizing errors in rule-sensor associations. The system may also include additional components for rule generation, validation, and deployment, ensuring that rules are properly defined and applied to the correct sensors. The overall goal is to streamline sensor management in automated or industrial settings, enhancing reliability and responsiveness.
27. The system of claim 24 , wherein the analyst system is further configured to attribute the malicious activity to a specific actor, bidirectionally link the at least one evidence to the attributed actor; and bidirectionally link the at least one indicator to the attributed actor.
Cybersecurity systems analyze malicious activity to identify threats and their sources. A system for threat intelligence attribution detects and correlates evidence and indicators of compromise (IOCs) to attribute malicious activity to specific actors. The system collects evidence from various sources, such as network logs, endpoint data, and threat intelligence feeds, and analyzes this data to identify patterns and links to known threat actors. It then attributes the malicious activity to a specific actor based on behavioral, technical, and contextual indicators. The system establishes bidirectional links between the evidence, IOCs, and the attributed actor, allowing analysts to trace connections in both directions. This bidirectional linking enables comprehensive threat intelligence by associating all relevant data points with the responsible actor, improving threat detection, response, and mitigation efforts. The system enhances situational awareness by providing a clear, interconnected view of threats and their origins, supporting more effective cybersecurity decision-making.
28. A system comprising: one or more computers and one or more storage devices storing instructions which are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: receiving, at a computing device, an evidence corresponding to a malicious activity, wherein the evidence is received from an external computing device and is stored in a file by the computing device; extracting, by the computing device with an extraction engine, one or more indicators from the evidence by analyzing the contents of the file in which the evidence was stored; creating, with the computing device, a sensor based rule from the one or more indicators; bidirectionally linking, by the computing device, the one or more indicators extracted from the evidence to the evidence from which the indicators were extracted, wherein the linking is to the evidence stored in the file by the computing device and establishes a bidirectional linkage between the one or more indicators and the evidence from which the indicators were extracted, wherein the bidirectional linkage between the one or more indicators and the evidence is used to determine that the one or more indicators were extracted from the evidence; bidirectionally linking the sensor based rule to the evidence it originated from, wherein the linking establishes a bidirectional linkage between the sensor based rule and the evidence wherein the bidirectional linkage between the sensor based rule and the evidence is used to determine that the sensor based rule originated from the evidence; bidirectionally linking the sensor based rule to the indicator it originated from, wherein the linking establishes a bidirectional linkage between the sensor based rule and the indicator wherein the bidirectional linkage between the sensor based rule and the indicator is used to determine that the sensor based rule originated from the indicator; and creating a sensor configuration for tasking the sensor based rule to a sensor of an intrusion prevention or intrusion detection system, wherein the sensor monitors one or more of the computer system and a network infrastructure to which the computer system is connected.
The system operates in the domain of cybersecurity, specifically for detecting and preventing malicious activities within computer systems and network infrastructures. The problem addressed is the need to efficiently analyze evidence of malicious activities, extract relevant indicators, and generate actionable rules for intrusion detection or prevention systems while maintaining traceability between the evidence, indicators, and rules. The system includes one or more computers and storage devices that process evidence of malicious activities received from external sources. The evidence is stored in a file, and an extraction engine analyzes the file to identify indicators of malicious behavior. These indicators are then used to create a sensor-based rule, which is a set of instructions for detecting similar malicious activities. The system establishes bidirectional links between the evidence, the extracted indicators, and the generated rules. These links ensure traceability, allowing the system to verify the origin of each indicator and rule. The sensor-based rule is then integrated into a sensor configuration for deployment in an intrusion prevention or detection system. The sensor monitors the computer system and its connected network infrastructure, applying the rule to detect or block malicious activities based on the extracted indicators. This approach enhances threat detection by maintaining a clear lineage between evidence, indicators, and detection rules, improving the accuracy and reliability of security monitoring.
Unknown
January 16, 2018
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.